Forensic Options - Locked / Broken Mobile Devices

Forensic Options – Locked / Broken Mobile Devices

“JTAG” and “chip-off” processes are a well-known last resort when standard forensic tools can’t recover data from a locked or damaged mobile device. While these terms may be well-known, the actual processes are extremely technical and involve an understanding of circuit board and memory chip architectures. Here is what you need to know about each process to make the right choice for your specific case.

DEFINITIONS

“JTAG” is shorthand for a standard set of tools built into almost every mobile device circuit board that simplify device testing and quality control. JTAG is an acronym for “Joint Test Action Group”, which was the industry group that originally defined these standard tools. Forensic examiners can piggyback on these testing tools to directly access a device’s memory chip, often bypassing the password or encryption scheme.

“Chip off” methods refer to physically removing a memory chip from the device circuit board and accessing it through a different chip-reading apparatus. This process is not reversible, so the original device is rendered inoperable. The actual process is like performing precision surgery on a circuit board. Flashback Data has even used x-ray machines to help us in some very technical chip-off cases. Even for an experienced examiner, the chip-off process isn’t without risks. Newer mobile devices are not built to be disassembled, and it’s possible to damage the memory chip and render some or all of the data inaccessible.

WHEN SHOULD YOU CHOOSE ONE OR THE OTHER?

If the target device is operational, but locked, JTAG should be your first choice. It often allows you to bypass password or encryption schemes and usually doesn’t damage the device. If JTAG doesn’t work, you can always move on to a chip-off option.

If the target device is damaged and not operational, then a chip-off process is likely your only option. Be aware that there’s still a risk that removing the chip will damage its memory, so it’s important to use an experienced, accredited lab when you need a chip-off exam.

WHAT IS THE OUTPUT OF EACH OF THESE PROCESSES?

Regardless of the method, the goal of performing a JTAG or chip-off process is to get a physical image of the memory chip on a specific device. Of course, that’s not the end of the forensic examination. The examiner will then need to use that image (or as much of it as is recoverable) to reconstruct the data, analyze it forensically, and produce a comprehensive report for use in ongoing investigations and prosecutions.

GET HELP TODAY!

If your digital crime lab can't access data from a locked or broken mobile device, CONTACT FLASHBACK DATA. We’re experts in the most complex digital forensics cases and our turnaround time is a fraction of what you’ll find at RCFL or your state lab.